XML Injection

Affecting org.codehaus.plexus:plexus-utils artifact, versions [,3.0.24)

Do your applications use this vulnerable package? Test your applications

Overview

org.codehaus.plexus:plexus-utils is a collection of various utility classes to ease working with strings, files, command lines, XML and more.

Affected versions of this package are vulnerable to XML Injection. The org.codehaus.plexus.util.xml.XmlWriterUtil#writeComment method does not check if a XML input includes a "-->" sequence which can be treated as comments. This flaw could be abused to insert text contained in the command string that could be interpreted as XML, possibly leading to XML injection issues.

Remediation

Upgrade org.codehaus.plexus:plexus-utils to version 3.0.24 or higher.

References

CVSS Score

3.1
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:U
Credit
Florian Weimer
CWE
CWE-91
Snyk ID
SNYK-JAVA-ORGCODEHAUSPLEXUS-461102
Disclosed
21 Sep, 2015
Published
06 Sep, 2019